Sign in / up

back to article 4 in 5 surfers open to browser exploits from fixed flaws

Eight in 10 browsers remains vulnerable to attacks targeting already patched bugs, with the majority of problems stemming from plug-ins such as Java. The figures come from real world scans by users of Qualys's BrowserCheck service, a free of charge consumer-focused scanning utility released last year. The web-based service …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Dave Murray

    BrowserCheck Issues

    Qualys's BrowserCheck results for Adobe Acrobat + Reader may not be entirely accurate. I have both Acrobat 8 and Reader 9 on my PC, both fully patched. According to Firefox it is using the plugin from Reader 9 and there is no plugin from my install of Acrobat 8. Something is wrong with their detection mechanism because BrowserCheck says I am using an out of date Reader 8 plugin that needs patched.

    Well it did when I tried the service 6 months ago, haven't checked if they've fixed it since.

    0 1
  2. CD001

    Hmmm...

    Oki - I goto Qualys's BrowserCheck site and just get a message that says:

    "Javascript Not Enabled

    Please enable javascript in your browser and refresh your page "

    - so you want me to enable a potential security vulnerability to see if I have any potential security vulnerabilities?

    :)

    Yes, yes, I know this is a facetious post :P

    8 0
    1. benjymous
      Reply Icon
      FAIL

      And an extension

      If you get that far, it then asks you to install a custom extension.

      So really, all their stats tell is is how many people who'll happily run any old bit of javascript, and install any old extension, are at risk.

      This tells you nothing about the people who, like us, think "Um, what? No." and go away.

      5 1
      1. starbaby
        Reply Icon

        Post anonymously?

        Really curious if the stats are based on suckers who install the extension. My reaction was the same as any sane websmurfer, "install random extension from site I just heard about, no thanks".

        5 0
    2. Graham Marsden
      Reply Icon
      FAIL

      Exactly...!

      A site that wants to check if my Javascript is secure first asks me to enable Javascript!

      Erm, perhaps they're not aware that that's a pretty good positive result already!!

      2 0
  3. MaximumFish
    WTF?

    How the hell do you run it?

    I installed this extension in Chrome, curious to see what it would say about my machine, but there doesn't seem to be any way to run it! There's no buttons, no menu options, nothing.

    0 0
  4. Paul Renault
    Thumb Up

    ..'allelujah!

    Afformentionned article's author attempts and achieves acceptable, accurate alliteration after all anterior attempts.

    At last!

    6 0
  5. Tzael

    Paranoid Techs vs Automatic Updates

    See, this is what happens when paranoid techies tell their friends to turn off automatic updates. "Oh, don't go installing patches unless you know exactly what they do!" followed weeks or months later by "You've got a virus, why haven't you been installing the patches from Windows Update?" .....

    All I'm saying is that it's called "Automatic Updates" for a reason and recommending that end users turn it off is just stupid.

    2 3
  6. HMB

    Javascript

    I'm so glad that it's just technical people who still disable JavaScript. It means that as a web developer, any fancy HTML5 will work for everyone except those people, who are enough of a minority for it not to be any problem.

    Don't get me wrong, I write in a backwards compatible way, it's just that modern JavaScript has moved on from the oft-abused popup. You can do seriously great things with animation and UI with modern tools like jQuery. I wrote a Javascript shopping basket the other day and it's a joy to use as you click add and it's instant, no waiting for a new page from the server when BT are throttling you're internet conenction down to nothing because you watched 3 programs on iPlayer and BT says that's enough.

    Why not just run a browser with JavaScript engine sand-boxing that gets regular updates? I've used chrome for ages and never had a JavaScript security issue.

    2 5
  7. Steven Knox
    FAIL

    Doubt It

    "The figures are especially troubling when you consider that consumers who have chosen to scan their system with BrowserCheck in the first place are likely to be more security-aware than the majority of internet users."

    That's a pretty bold assumption there. Most of the security-aware people I know avoid "free" downloadable security scam^Hns like the plague. I'd be more apt to bet that most of the people who have chosen to scan their systems with BrowserCheck are those with low to moderate tech skills who are overwhelmed with the constant stream of updates and still looking for an easy way to get them, hence the desperate download -- and the high unpatched rate.

    7 0
  8. ³

    You won't feel a thing.

    Qualys? Sounds like something you'd need to see a surgeon for.

    For Firefox I prefer http://www.mozilla.com/en-US/plugincheck/

    1 0
  9. TerryAcky
    WTF?

    Timewarp

    "The security shortcomings of Java on browsers has prompted some security experts to begin advising surfers to disable the technology."...

    "Experts begin advising"..? Begin??? Experts???

    Like, well, c'mon...hasn't this been the general concensus of the educated world since, well, like about 1996?

    Methinks these 'experts' missed the train some 15 years ago!

    0 0
  10. Anonymous and no wonder
    Happy

    Just Use It

    Qualys is a quite old name (end of last century), and in my memory reputable and well connected including IBM. Doesn't mean it's safe to use their checker but it's not the same as adding an add-on from an unknown scammer.

    Unfortunately many websites fail miserably if you don't allow JavaScript and unless you want to limit your sources of business supplies (and therefore pay extra or get worse) you have to allow it to run. I even use some little JavaScript on my business sites to "enhance" the use with complete failback.

    My advice - run the tool. If you don't have enough experience to trust it, you don't have enough experience or knowledge NOT to use it :-) But if you can protect yourself normally, it's a useful extra tool and I thank theregister for linking to it.

    0 0
This topic is closed for new posts.